C#•2y ago

❔ SSL inside AWS EC2

Hello everyone, I am having issues with SSL. I bought a certificate from Sectigo (which I believe is a trusted CA), but when I connected the ssl certificate to nginx and to my nestjs app inside aws ec2, I am having a 'connection not secured'. How to solve this issue? Thanks Here is the nginx config:

server {
    listen 443 ssl;
    server_name app.blinkcard.io;

    ssl_certificate /etc/nginx/ssl/blinkcard.io.crt;
    ssl_certificate_key /etc/nginx/ssl/blinkcard.io.key;
    ssl_trusted_certificate /etc/nginx/ssl/blinkcard.io.ca-bundle;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    #add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;

    location ~* ^/.env {
        deny all;
    }

    location / {
        proxy_pass http://localhost:3000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

server {
    listen 443 ssl;
    server_name app.blinkcard.io;

    ssl_certificate /etc/nginx/ssl/blinkcard.io.crt;
    ssl_certificate_key /etc/nginx/ssl/blinkcard.io.key;
    ssl_trusted_certificate /etc/nginx/ssl/blinkcard.io.ca-bundle;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    #add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Credentials' 'true' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;

    location ~* ^/.env {
        deny all;
    }

    location / {
        proxy_pass http://localhost:3000/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

23 Replies

JakenVeina•2y ago

how/where are you getting that error?

jcotton42•2y ago

(you also got ripped off, SSL certs are free these days via Let's Encrypt) (I believe AWS has an SSL cert provisioning thing as well)

JakenVeina•2y ago

an SSL cert signed by a public root CA?

jcotton42•2y ago

seemingly yes https://aws.amazon.com/certificate-manager/

Amazon Web Services, Inc.

Certificate Manager - AWS Certificate Manager - AWS

AWS Certificate Manager helps you provision, manage, and deploy public and private SSL/TLS certificates with AWS services and your internal connected resources.

khamas•2y ago

did you connect to the site via HTTPS? (and not HTTP) also SSL certs are free

JakenVeina•2y ago

SSL certs signed by a globally-trusted root CA?

jcotton42•2y ago

Let's Encrypt

JakenVeina•2y ago

so, like if everyone can get one doesn't that dilute the trust of the whole system? that was always my understanding of why it used to be expensive

jcotton42•2y ago

Let's Encrypt only issues DV (domain validation) certificates not EV certs, which also verify the identity of the person or org behind the site

JakenVeina•2y ago

okay TIL I have some certs to go make tonight

jcotton42•2y ago

EV having a price tag makes sense because you need to actually verify the paperwork being sent to you but DV can be done in an entirely automatic fashion, via the various ACME challenges

JakenVeina•2y ago

ah, okay so you have to be able to prove you own a particular domain name, then you can get a cert for it

jcotton42•2y ago

yes there's a couple challenges for this the HTTP challenge involves serving a particular string from a particular path on your server (you're given the string to serve when starting the challenge)

JakenVeina•2y ago

yeah

jcotton42•2y ago

the DNS challenge has you add a particular TXT record to your DNS records (handy for non-HTTP scenarios, or for sites not publicly reachable) I think there might be some others as well

JakenVeina•2y ago

I, in fact, do not have some certs to make tonight

jcotton42•2y ago

ACME is also what enables LE certs to have such short expiries (90 days)

JakenVeina•2y ago

is that the normal lifetime? you gotta re-verify every 90 days?

jcotton42•2y ago

yes but the idea is you have certbot or another ACME client just running on a schedule redoing your certs every 30 days or so (iirc) only intervening when there's a failure

JakenVeina•2y ago

do the verification secrets change each time? moreso, if these secrets are exposed on a public endpoint, that the challenger calls, how do they not get stolen?

jcotton42•2y ago

https://letsencrypt.org/how-it-works/

How It Works

The objective of Let’s Encrypt and the ACME protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server. To understand how the technology works, let’s walk through the proc...

jcotton42•2y ago

also https://www.ssl.com/faqs/which-acme-challenge-type-should-i-use-http-01-or-dns-01/

SSL.com Support Team

SSL.com

Which ACME Challenge Type Should I Use? HTTP-01 or DNS-01? - SSL.com

Not sure if you should use the HTTP-01 or DNS-01 ACME challenge? This FAQ outlines the advantages and disadvantages of both DV methods.

Accord•2y ago

Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.

Gaming

Programming

❔ SSL inside AWS EC2